Most crimes, especially most cybercrimes, are crimes of opportunity.
And faced with a proliferation of simple yet effective attacks from cybercriminals leveraging scalable tactics powered by innovations like generative artificial intelligence (AI), it is the little changes across an enterprise’s defense program that can make a huge difference.
That’s because in today’s digitized and hyper-connected operating landscape, cyberattacks and the threat of security breaches are around nearly every corner.
Most organizations are increasingly dependent on enterprise software, including many programs and platforms that they did not write themselves and which are not proprietary.
The internet was built to share information in a porous and democratized way — inherently, the internet was not built from a security-first perspective. This simple, single fact creates vulnerable holes and attack vectors for bad actors to probe and take advantage of, and it puts the onus on enterprises to secure their own walls.
Importantly, as we explore in the “Attack Vectors 2024” series, maintaining good and effective cyber hygiene is crucial for protecting enterprise workflows against cyber threats.
Read more: Attack Vectors 2024: Protecting Against What’s Next in Deepfake Fraud
Regular training, phishing tests and practicing response protocols can all contribute to building a resilient defense foundation against digitally driven attacks and social engineering fraud.
According to a PYMNTS Intelligence study in collaboration with Hawk AI, nearly 43% of financial institutions (FIs) in the U.S. experienced an increase in fraud last year relative to 2022, resulting in a rise in fraud losses increasing by about 65% from $2.3 million in 2022 to $3.8 million in 2023.
Already in 2024, mortgage company loanDepot experienced a cybersecurity incident at the start of the month (Jan. 8) where an unauthorized third party was able to gain access to certain company systems and encryption data; while in December, VF Corporation, the owner of Vans, The North Face, Timberland and Dickies, found itself having trouble fulfilling orders after a Dec. 13 cyberattack.
The new year provides a good excuse for organizations to get their cyber house in order.
“The No. 1 thing that I would start with is good cyber hygiene,” Rosa Ramos-Kwok, managing director and business information security officer for commercial banking at J.P. Morgan, told PYMNTS, explaining that sometimes firms can fall behind on patching up legacy systems, which leaves aged software with “all sorts of vulnerabilities” in place because firms had “other priorities, or it was too expensive.”
She explained that it is rarely ever just one piece of data that is compromised by an attack but frequently an entire system, and managing the blast radius becomes critical in the aftermath of an attack.
From a technical standpoint, firms need to implement continuous monitoring tools to detect and respond to security threats in real-time, conduct regular security audits and assessments to identify and address vulnerabilities in the system, and restrict access only to necessary resources.
Additionally, companies need to encrypt sensitive data to protect against unauthorized access, ensure all software is kept up-to-date with the latest security patches, and segment internal networks to limit the lateral movement of attackers in case of a security breach.
Increasingly, deploying artificial intelligence (AI) and other modern innovations can help businesses establish a robust and multilayered defense.
“Once you’ve upscaled your technology stack and gotten your technical colleagues aware of how to use AI technology and apply it, it can be applied to use cases beyond just fraud or payments. It’s about applying this innovation across your business organization in a multitude of different ways,” Erika Dietrich, vice president, global fraud prevention risk services at ACI Worldwide, told PYMNTS.
“Fraud is one of those areas where you have an opportunity to reduce your attack ‘surface’ simply by moving to a more modern … methodology,” Finexio Chief Commercial Officer Bill Fox told PYMNTS.
Read more: Synthetic Data Gives Firms Real Results in Fighting Fraud
Given that most businesses have more people than they do software systems, employees and even contractors frequently provide bad actors with the most vulnerable line of defense. The more a company encourages practicing good cyber hygiene, the better muscle memory employees will have in the midst of an attack.
That’s why establishing employee training programs around phishing awareness, password security and social engineering are crucial, as is an ongoing emphasis on handling sensitive data responsibly.
Also critical is compiling after-action reports when something does go wrong.
“The after-action report will help you understand what your business continuity plan was and where it failed … If you haven’t stayed up on your hygiene, that will come out in the report. That’s why running red team exercises or simulated events is so important,” Matanda Doss, executive director and lead information security manager for commercial banking at J.P. Morgan, told PYMNTS.
Establishing a robust defense perimeter through both employee education and intrusion prevention systems will be what separates the firms of tomorrow that are easy targets from those that are left alone.